Use and Disclosure of Protected Health Information: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 25: Line 25:
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]]
<br /><br />
<br /><br />
Policy No.: '''6057'''<br />
Policy No.: '''6057'''<br />
Effective Date: '''03/17/03'''<br />
Effective Date: '''03/17/03'''<br />
Revised Date: '''10/30/2013'''<br />
Revised Date: '''10/30/2013'''<br />
Review Date: '''10/29/2013'''<br />
Review Date: '''10/29/2013'''<br />


<big>'''Use and Disclosure of Protected Health Information Policy'''</big>  
<big>'''Use and Disclosure of Protected Health Information Policy'''</big>  
Line 34: Line 34:
To establish guidelines for the use and disclosure of protected health information (PHI) in accordance with HIPAA.  ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502])
To establish guidelines for the use and disclosure of protected health information (PHI) in accordance with HIPAA.  ([http://www.gpo.gov/fdsys/pkg/CFR-2010-title45-vol1/pdf/CFR-2010-title45-vol1-sec164-502.pdf 45 CFR 164.502])
== Policy ==  
== Policy ==  
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and Executive Memorandum No. 27.
The University of Nebraska Medical Center (UNMC) shall use and disclose protected health information (PHI) in accordance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements and [http://nebraska.edu/docs/president/27%20HIPAA%20Compliance.pdf University of Nebraska Executive Memorandum No. 27].
== Definitions ==
== Definitions ==
'''Treatment''' means the provision, coordination or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
'''Treatment''' means the provision, coordination or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.<br />
Line 58: Line 58:
:#Resolution of internal grievances
:#Resolution of internal grievances
:#Fundraising
:#Fundraising
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:
:#Is created or received by ACE; and
:#Is created or received by ACE; and
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.
:#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.
Line 69: Line 69:
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />
Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA), and employment records held by UNMC in its role as employer.<br />


'''Health information Exchange (HIE)''' is the electronic movement of health-related information among organizations according to nationally recognized standards. The goal of health information exchange is to facilitate access to and retrieval of clinical data to provide safer, timelier, efficient, effective and equitable patient-centered care. '''Health information exchange organizations (HIOs)''' provide the capability to electronically move clinical information between disparate health care information systems.  <br />
'''Health information Exchange (HIE)''' is the electronic movement of health-related information among organizations according to nationally recognized standards. The goal of health information exchange is to facilitate access to and retrieval of clinical data to provide safer, timelier, efficient, effective and equitable patient-centered care. '''Health information exchange organizations (HIOs)''' provide the capability to electronically move clinical information between disparate health care information systems.  <br />


'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />
'''Affiliated Covered Entity (ACE)''' means University of Nebraska Medical Center, The Nebraska Medical Center, UNMC Physicians, University Dental Associates, Bellevue Medical Center and The Nebraska Pediatric Practice Plan as one covered entity for the purpose of sharing PHI under HIPAA.<br />


'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />
'''Individual''' means the person who is the subject of the protected health information. Personal representatives of the individual have the same rights as the individuals under HIPAA. Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the individual.<br />


'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing below.<br />
'''Marketing''' means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. See Use and Disclosure of PHI for Marketing below.<br />


'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research below.<br />
'''Research''' means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalized knowledge. Generalized knowledge is knowledge that can be applied to populations outside the population service by the ACE. See Use and Disclosure of PHI for Research below.<br />


'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information below.
'''Sale of Protected Health Information''' means disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. See Sale of Protected Health Information below.
== Procedures ==
== Procedures ==
===Use/Disclosure of PHI Related to Healthcare===
===Use/Disclosure of PHI Related to Healthcare===
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.
Protected Health Information (PHI) may be used and disclosed by the ACE for its own treatment, payment and healthcare operations (as defined above). These entities may share PHI with one another without patient authorization to conduct business on behalf of the organizations.
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.
:#Care providers may share medical information with the individual and other people that individual would like to be involved in his/her care (i.e. family members, other relatives, friends, etc.). If possible, care providers should obtain the individual’s permission to share information with others during the course of treatment. However, care providers may use their professional judgment and reasonably infer from the circumstances that an individual does not object to sharing information with others who may visit or call on the telephone. Only information relevant to such person’s involvement with the individual’s care should be shared.
:#The ACE may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.
:#The ACE may disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual.
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
The ACE may disclose PHI for the treatment activities of a healthcare provider.<br />
Line 89: Line 89:
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />
The ACE may disclose PHI to another covered entity or a healthcare provider for the payment activities of the entity that receives the information.<br />


Use of electronic health information exchanges (HIEs).   The ACE may access and disclose PHI through ACE-approved HIEs.   Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The ACE is a member of two HIEs:
Use of electronic health information exchanges (HIEs). The ACE may access and disclose PHI through ACE-approved HIEs. Use and disclosure of PHI is restricted to the permitted uses and disclosures of the particular HIE. The ACE is a member of two HIEs:
:#Nebraska Health Information Initiative (NeHII). NeHII participants may access NeHII PHI for treatment, payment and limited health care operations purposes. Refer to the NeHII Privacy and Information Security Policies and Procedures or contact the Privacy Office if you are unsure whether a particular use of NeHII PHI is permissible.   
:#Nebraska Health Information Initiative (NeHII). NeHII participants may access NeHII PHI for treatment, payment and limited health care operations purposes. Refer to the [http://nehii.org/index.php?option=com_docman&Itemid=59 NeHII Privacy and Information Security Policies and Procedures] or contact the Privacy Office if you are unsure whether a particular use of NeHII PHI is permissible. <br />
EPIC Care Everywhere and Care Elsewhere. Use of EPIC Care Everywhere and Care Elsewhere is restricted to treatment purposes only. It cannot be used for payment, healthcare operations or other purposes otherwise permitted under HIPAA.<br />
   
EPIC Care Everywhere and Care Elsewhere. Use of EPIC Care Everywhere and Care Elsewhere is restricted to treatment purposes only. It cannot be used for payment, healthcare operations or other purposes otherwise permitted under HIPAA.<br />


UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that require PHI to perform the services.<br />
UNMC shall enter into a business associate agreement with outside entities performing services on its behalf that require PHI to perform the services.<br />


Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See UNMC Policy No. 6058, [[Notice_of_Privacy_Practices|Notice of Privacy Practices]].<br />
Individuals shall sign an acknowledgement of receipt of the Notice of Privacy Practices when they first access the ACE for direct treatment, explaining how their PHI may be used and disclosed. See UNMC Policy No. 6058, [[Notice_of_Privacy_Practices|Notice of Privacy Practices]].<br />


Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:
Individuals will be given the opportunity to agree or object to follow uses/disclosures of their PHI:
Line 102: Line 103:
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment, if the individual is available and has the capacity to agree or reject.
:#Disclosure of PHI to family member, other relative, or close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment, if the individual is available and has the capacity to agree or reject.
===Request for restrictions===   
===Request for restrictions===   
Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.
Individuals may request restrictions on how their health information is used or disclosed for treatment, payment or healthcare operation purposes, or to certain family member or others involved in their care. Requests for restrictions can be denied, with one exception. Requests to restrict self-pay account information from being sent to third party payers must be approved if the account is paid in full out of pocket in advance.
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Chief Medical Officer for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.
:#All requests for restrictions must be in writing and shall be forwarded to the Health Information Management Department Manager of Health Information Logistics. The Privacy Officer shall be notified and shall coordinate the request for restrictions to the Chief Medical Officer for approval/disapproval. If a request for restriction is approved, processes must be implemented to restrict the use or disclosure of the information within the scope of the approved restriction. Information subject to an approved restriction can be used for emergency treatment if needed, but the healthcare provider cannot further use or disclose the information.
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.
:#Requests to have medical information removed from a medical information system/medical record will not generally be approved, since records of treatment provided must be kept and made available for several regulatory and business purposes.
===Use/Disclosure of PHI Related for Training Healthcare Professionals===
===Use/Disclosure of PHI Related for Training Healthcare Professionals===
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.
Training healthcare professionals is a category of healthcare operations. Staff may share PHI with students, residents, trainees and faculty supervising such individuals pursuant to a clinical affiliation agreement between UNMC and the affiliation institution. Individuals receiving training and faculty supervising such individuals at UNMC shall be considered members of UNMC’s workforce for purposes of HIPAA.
===Use/Disclosure of PHI Permitted/Required by Law===
===Use/Disclosure of PHI Permitted/Required by Law===
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:
Disclosure of PHI beyond treatment, payment and healthcare operations (TPO) may be made without individual authorization for the following purposes:
Line 113: Line 114:
:##Disclosures to a school, limited to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.
:##Disclosures to a school, limited to proof of immunization of a student or prospective student, and UNMC has obtained and documented agreement from the parent, legal guardian, or the individual if the individual is an adult or emancipated minor.
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.
:#Reports of suspected abuse, neglect or domestic violence made by mandatory reporters to governmental agencies authorized by law to receive such reports.
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes below.
:#Disclosures for law enforcements purposes. See Use/Disclosure of PHI for Law Enforcement Purposes below.
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.
:#Disclosure for health oversight activities authorized by law, such as audits, investigations, licensure or disciplinary actions.
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.
:#Disclosure for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena.
Line 124: Line 125:
PHI may be disclosed to law enforcement under the following circumstances:
PHI may be disclosed to law enforcement under the following circumstances:
:#Laws require reporting violent wounds to law enforcement
:#Laws require reporting violent wounds to law enforcement
:#A valid subpoena or warrant is presented. Contact the Health Information Management Department, UNMC Associate General Counsel for Healthcare or the UNMC Compliance Officer to review the subpoena or warrant.
:#A valid subpoena or warrant is presented. Contact the Health Information Management Department, UNMC Associate General Counsel for Healthcare or the UNMC Compliance Officer to review the subpoena or warrant.
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only:  name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics.   
:#Law enforcement officer wishes to identify or locate a suspect, fugitive, material witness or missing person. May provide the following information only:  name, address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury date and time of treatment, date of death, and distinguishing characteristics.   
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples
:##May not provide DNA information, blood samples, dental records, tissue or other fluid samples
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.
:#If the patient is a crime victim (or suspected crime victim) may disclose information with the patient’s consent. If the patient is unable to give consent, information necessary to investigate the crime may be provided to law enforcement. Use professional judgment.
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.
:#Patient is deceased and the death is (or suspected to be) the result of criminal conduct.
:#Crime (or suspected crime) occurred on UNMC campus.
:#Crime (or suspected crime) occurred on UNMC campus.
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)
:#UNMC staff providing emergency care in an emergency situation off-campus during work time, and information is necessary to alert law enforcement to a potential crime (i.e. accident scene involving hit-and-run, etc.)
===Use/Disclosure of PHI for Marketing===
===Use/Disclosure of PHI for Marketing===
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.
The term “marketing” under HIPAA has a specific meaning for purposes of determining when PHI can be used or disclosed without individual authorization. Marketing under HIPAA is making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. Marketing includes an arrangement between UNMC and any other entity whereby UNMC discloses PHI to the other entity in exchange for direct or indirect financial remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service. If UNMC does not receive any remuneration from an external entity, the activity is not considered to be marketing under HIPAA.
Additionally the following activities are not marketing under HIPAA:
Additionally the following activities are not marketing under HIPAA:
:#Communication for treatment of the individual.
:#Communication for treatment of the individual.
Line 139: Line 140:
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />
:##Communications to describe the health related product or service that is provided by or included in a plan of benefits of UNMC, including communications about (i) the entities participating in a healthcare provider network or health plan network; (ii) replacement of, or enhancements to, a health plan; and (iii) health related products or services available only to a health plan enrollee that add value to, but are not a part of, a plan of benefits<br />


Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.
Use and disclosures of PHI for marketing as defined by HIPAA require signed patient authorization. The authorization must state that UNMC will receive remuneration for the marketing activity.
===Use/Disclosure of PHI for Fundraising===
===Use/Disclosure of PHI for Fundraising===
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
Fundraising using PHI shall be conducted through The Nebraska Medical Center Development Office and/or the NU Foundation, depending on the organizations involved.<br />
Line 152: Line 153:
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization.  <br />
Disclosure of all other types of PHI for fundraising purposes is prohibited unless the patient signs an authorization.  <br />


All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.
All fundraising materials must clearly and conspicuously explain how the individual may opt out of receiving any further fundraising communications for an individual campaign or for all future fundraising. The cost of opting out must be nominal, so postage-paid envelopes should be provided, or a toll-free telephone number and/or email address provided so individuals can opt-out without incurring costs. If an individual opts-out of fundraising, the action is treated as a revocation of authorization and UNMC may not make further fundraising communications to the individual within the scope of revocation. UNMC may not condition treatment or payment on the individual’s choice about receiving future fundraising communications.
===Use/Disclosure of PHI for Research===
===Use/Disclosure of PHI for Research===
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA.  <br />
All research requests using PHI must be submitted to the UNMC Institutional Review Board for review and approval. See UNMC Human Research Protection Policies and Procedures. The IRB approved consent also contains the HIPAA-compliant authorization when required under HIPAA.  <br />


Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm.
Review of PHI Preparatory to Research. ACE staff and students who wish to review PHI to prepare a research proposal must submit a “Request for Electronic Health Data” form to the Electronic Health Record Core to obtain access to PHI. The form is located at: http://www.unmc.edu/cctr/ehr_research.htm.
===Sale of Protected Health Information===
===Sale of Protected Health Information===
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale.  This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:
Selling protected health information is prohibited unless the patient signs an authorization specifically permitting the sale.  This includes any disclosure of PHI where UNMC directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the protected health information. Sale of protected health information does not include a disclosure of PHI:
:#For public health purposes
:#For public health purposes
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes
:#For research purposes where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes
Line 164: Line 165:
:#To an individual where the individual is requesting access to their own PHI
:#To an individual where the individual is requesting access to their own PHI
:#Required by law; and
:#Required by law; and
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />
:#For any other permitted purpose where the only remuneration received by UNMC is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. The reasonable, cost-based fee includes both direct and indirect costs for generating, storing, retrieving and transmitting PHI, including labor, material and supplies.<br />


De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.
De-identified data is not PHI and therefore is not subject to the remuneration prohibition. However, limited data sets are PHI and are subject to this provision.
===Authorization Required for all other Uses/Disclosures===
===Authorization Required for all other Uses/Disclosures===
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in UNMC Policy No. 6066, [[Psychotherapy Notes]].
All other uses and disclosures of PHI not described in the sections above are prohibited unless the patient signs an authorization specifically permitting the use/disclosure (Form CON-MR-0074). Restrictions on the use and disclosure of psychotherapy notes are explained in UNMC Policy No. 6066, [[Psychotherapy Notes]].
===Minimum Necessary===
===Minimum Necessary===
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request.[http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.pdf 45 CFR 164.502(b)]
When using, disclosing or requesting PHI, staff shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purposes of the use, disclosure or request.[http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/minimumnecessary.pdf 45 CFR 164.502(b)]
Line 201: Line 202:
:#Biometric identifiers, including finger and voice prints; and
:#Biometric identifiers, including finger and voice prints; and
:#Full face photographic images and any comparable images
:#Full face photographic images and any comparable images
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient.  
The recipient of the limited data set must enter into a data use agreement. If a limited data set recipient breaches the data use agreement, UNMC shall take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, shall discontinue disclosure of PHI to the limited data set recipient.  
===De-Identification /Re-Identification of PHI (164.514)===
===De-Identification /Re-Identification of PHI (164.514)===
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:
'''De-Identification of PHI.''' PHI may be used to create information that is not individually identifiable health information (de-identified). The HIPAA privacy rules do not apply to information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. PHI is de-identified when 18 identifiers of the individual or of relatives, employers or household members of the individual are removed and the organization does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information. The identifiers are:
:#Names
:#Names
:#All geographic subdivisions smaller than a state
:#All geographic subdivisions smaller than a state
:#All elements of dates except year, for dates related to individual
:#All elements of dates except year, for dates related to individual
:#Telephone numbers
:#Telephone numbers
:#Fax numbers
:#Fax numbers
Line 230: Line 231:
*UNMC Policy No. 6058, [[Notice of Privacy Practices]]
*UNMC Policy No. 6058, [[Notice of Privacy Practices]]
*UNMC Policy No. 6066, [[Psychotherapy Notes]]
*UNMC Policy No. 6066, [[Psychotherapy Notes]]
*NeHII Privacy and Information Security Policies and Procedures
*[http://www.hhs.gov/ocr/privacy/hipaa/administrative/statute/hipaastatutepdf.pdf Health Insurance Portability and Accountability Act of 1996] (HIPAA) requirements  
*Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements  
*[http://nebraska.edu/docs/president/27%20HIPAA%20Compliance.pdf University of Nebraska Executive Memorandum No. 27]
*University of Nebraska Executive Memorandum No. 27
*[http://nehii.org/index.php?option=com_docman&Itemid=59 NeHII Privacy and Information Security Policies and Procedures]


This page is maintained by [mailto:dpanowic@unmc.edu dkp].
This page is maintained by [mailto:dpanowic@unmc.edu dkp].